Index: third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp |
diff --git a/third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp b/third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp |
index 07080c840278229a7e29a82ee6df1c69ff602606..2fc251f94586049ee78ff5c58c9a76e7a23845db 100644 |
--- a/third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp |
+++ b/third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp |
@@ -121,13 +121,24 @@ bool SVGImage::IsInSVGImage(const Node* node) { |
return page->GetChromeClient().IsSVGImageChromeClient(); |
} |
+void SVGImage::CheckLoaded() const { |
+ CHECK(page_); |
+ |
+ LocalFrame* frame = ToLocalFrame(page_->MainFrame()); |
+ |
+ // Failures of this assertion might result in wrong origin tainting checks, |
+ // because CurrentFrameHasSingleSecurityOrigin() assumes all subresources of |
+ // the SVG are loaded and thus ready for origin checks. |
+ CHECK(frame->GetDocument()->LoadEventFinished()); |
+} |
+ |
bool SVGImage::CurrentFrameHasSingleSecurityOrigin() const { |
if (!page_) |
return true; |
LocalFrame* frame = ToLocalFrame(page_->MainFrame()); |
- CHECK(frame->GetDocument()->LoadEventFinished()); |
+ CheckLoaded(); |
SVGSVGElement* root_element = |
frame->GetDocument()->AccessSVGExtensions().rootElement(); |